On April 22, 2026, a malicious build of the @bitwarden/cli npm package sat live on the public registry for roughly 90 minutes, silently exfiltrating cloud tokens, SSH keys, and AI tooling configurations from any CI runner or developer machine that pulled it. Bitwarden has confirmed the compromise was confined to the npm distribution path. Vault data, production systems, and end-user credentials were not accessed. The package averages around 250,000 downloads per month, and the malicious window fell squarely inside US business hours.

What Happened

The compromised version, @bitwarden/[email protected], was published to npm at 5:57 PM ET on April 22, 2026 and removed by 7:30 PM ET the same evening. During that 90-minute window, any pipeline running npm install -g @bitwarden/cli pulled the trojanized build, executed it as part of routine CI work, and watched green checks roll in while secrets were quietly shipped out to a public GitHub repository controlled by the attacker. This is the third confirmed wave of the Shai-Hulud supply chain campaign, and the first to land on a security vendor whose entire brand is credential hygiene. Bitwarden's incident response team has published an official statement scoping the impact to the npm publishing pipeline rather than the password manager itself.

What Was Taken

The malicious package targeted Non-Human Identity material on whatever host executed it. Confirmed exfiltration categories include cloud provider access tokens, SSH private keys, and configuration files for AI developer tooling, all written out to an attacker-controlled public GitHub repository. Because the package is commonly installed globally on CI runners and developer laptops, the harvest set scales with the diversity of the host environment: AWS, GCP, and Azure session credentials, GitHub Actions tokens, container registry credentials, and any locally cached API keys for assistants and coding agents were all in scope. The total victim count remains unknown and will lag the disclosure window, since stolen credentials can outlive the package itself by weeks or months.

Why It Matters

The Bitwarden incident is instructive because nothing about it is exotic. A security-conscious vendor with mature engineering practices was caught by a worm propagating through a routine npm publish flow, and every artifact harvested on those CI runners was a Non-Human Identity. NHIs do not rotate themselves, do not have MFA, and frequently outlive the humans who created them. When a single compromised dependency runs inside a CI pipeline that has already been authenticated to half a dozen cloud accounts, the blast radius is not the package, it is the entire identity graph the runner can reach. Defenders should treat this as the new baseline for npm risk modeling rather than an outlier.

The Attack Technique

Stage one of the Shai-Hulud third wave propagated through a compromised Checkmarx-related developer tool. Once installed in a developer or CI environment, the tool harvested credentials, including, in some cases, the npm publish tokens used by package maintainers. Stage two leveraged those harvested tokens, along with GitHub Actions workflow compromise, to push a malicious build of @bitwarden/cli through Bitwarden's normal publish path. Stage three was the worm payload itself, which scanned the host for cloud tokens, SSH keys, and AI tooling configuration and posted the results to a public GitHub repository, turning each victim into a beacon and a potential next-hop publisher. The chain succeeded not because any single control failed catastrophically, but because each defensive layer was designed to stop one specific stage in isolation.

What Organizations Should Do

  1. Audit npm install logs across CI and developer endpoints for @bitwarden/[email protected] between 5:57 PM ET and 7:30 PM ET on April 22, 2026, and treat any match as a confirmed credential exposure.
  2. Rotate every cloud access token, SSH key, GitHub Actions token, container registry credential, and AI tooling API key that was present on an affected runner, regardless of whether exfiltration is observable in logs.
  3. Pin npm dependencies by integrity hash and require lockfile-only installs in CI, so a re-published version of a known package cannot silently replace a trusted one.
  4. Move package publish tokens for critical libraries to short-lived OIDC-based trust between CI and the registry, removing long-lived npm tokens from developer machines entirely.
  5. Inventory Non-Human Identities by runner and pipeline, set rotation SLAs measured in days rather than quarters, and alert on first-use of any token from an unexpected geography or ASN.
  6. Block egress from CI runners to arbitrary GitHub repositories by default, allowlisting only the org-owned destinations that builds legitimately need.

Sources: Inside the Bitwarden CLI Supply Chain Attack: 90 Minutes That Compromised Developer Secrets | Cremit